Hi,
I'm using your wonderful app for Netflow, which is working perfectly.
Here is the problem I have since I upgraded to V2.0 :
I run one instance of splunk, but I'm retrieving netflow records from other servers as well.
I want to split the netflows record for each of my server, this way I can look the traffic for a particular server.
What I've donne so far, was to take your app, and rename every reference to "sourcetype=netflow" to "sourcetype=netflow_xxxxx".
So Basically, I have one instance of your netflow app for each of my server.
It was working well on 1.0, but on 2.0, it's not working anymore. I have modified my monitored nfdump.log to go to the index I specified. (netflow_si_traffic_xxxx).
But I'm not getting any result in the dashboard, here is what I'm getting :
This search has completed and has returned 10,000 results by scanning 10,497 events in 0.699 seconds.
The following messages were returned by the search subsystem:
DEBUG: base lispy: [ AND index::netflow_si_traffic_togo ]
DEBUG: search context: user="admin", app="netflow_togo", bs-pathname="/opt/splunk/etc"
Event search : search index=netflow_si_traffic_togo | fields src_ip src_port src_service dst_ip dst_port dst_service proto proto_name router_ip _time num_bytes num_packets bps
If I launch this search manually, I am getting results.
So do you know what could be the problem ? Do you have changed some parameters on nfdump of nfcapd ?
I'm exporting my nfdump.log with the right format (I think) : fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %pps %bps %bpp %fl %ra
Thanks for your answer
You may also consider another App based on 3rd party software - NetFlow Integrator. It is a streaming technology that converts NetFlow to syslog on the fly, thus making it available in Splunk in real time. Sign up for Beta now. Demo App is here:
http://splunk-base.splunk.com/apps/NetFlow-based+Network+Monitoring+(Beta)
In this version (v2.0), I used Splunk summary index technique to improve the searching performance. And therefore, your method of renaming sourcetype=netflow_xxx will not work anymore, because the summary index will rename the sourcetype to 'stash'. What you might be able to do is using a 'host' field in your search to separate between each of your server.